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COMPUTER INTRUSION - CRIMINAL Ceria C L 


Synopsis: Request captioned matter be opened and assigned to the 
writer. 


Details: The purpose of this EC is to request captioned matter 
be opened and assigned to the writer. This matter is predicated 
based on information received from the complainant/victim 
organization, Government of District of Columbia (DC). 


On 4/20/2012, WFO CY-4 received information that the 
DC's website, DC.gov, was under attack. Writer talked to[ | b6 
Chief Technology Officer, Office of the Chief Technology b7c 
Officer (OCTO), Government of the District of Columbia, 441 4th -> 
St. NW, Washington, DC 20001, telephone number: pt] via 
telephone the same day. L j reported DC.gov website was 
under Distributed Denial of Service (DDOS) attack since 4/18/2012 
6:45pm, 25 hours into the attack, OCTO was able to restore the 
website and contained the DDOS attack. OCTO did not detect any 
intrusions into DC government's computer network. 
forward writer an email contained possible perpetrators' twitter 
pott Inde postings at Pastebin.com, and a link to team- 
«net. Within the. twitte 


UNCLASSIFIED 


Uil. ee 


o UNCLASSIFIED e 


TO: i i From: Washington Field 
Re: 06/12/2012 b7E 


b6 


D 


t: a n SER ID associate with all the 
logins, NS indicated these are the 
user account IDs; each contained user personal information. 
Information on these user accounts are pending from NS. 


++ 
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To: Washington Field From: 
Re: [04/23/2022 


LEAD (s): 
Set Lead 1: (Info) 
NEW YORK 


T CY2 


Read and clear. 
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Washington Field 


FD-302 (Rev. 10-6-95) : 


- 1 m» 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 04/24/2012 


On a/2a/2012,| Å Chief Technology Officer, 5 
Office of the Chief Technology Officer (OCTO), Government of the 
, District of Columbi . NW, i Eo 
telephone number: email: was 


interviewed in Washington, D.C. Also present during the interview 
were email address: telephone 
number: cell phone number: After being 


advised of the identity of the interviewing agent and the nature of 
the interview| ] provided the following information: 


provided two CDs, one contained PCAP files and Be 
graphs from Distributed Denial of Service (DDOS) attack from BIC 
4/18/2012 to 4/19/2012, and the other contained the firewall logs 
from that attack. [ais] stated the personal information on DC 
Mayor was not accurate and it was not the result of any computer 
intrusions in DC government network. DC government has not 
discover any other DC government employee' S personal information 
was published on the internet. 


[ ^ _ introduced writer i NENNEN Security be 
Operations, Office of the Chief Technology Officer, telephone Die 


number: email: is 
the point of contact for any technical questions regarding the DDOS 
attack. 


TIL 
L ZOL 
Ó [el] 5 Veg, ssa? suo 
Investigation on ^— 4/24/2012 at Washington, DC i 
Gc MMC A a ES b7E 


File # Date dictated 


by. 


“This document contains neither recommendations nor conclusions of the FBL Tt is the property of the FBI and is foaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/01/2012 
To: Washington Field Attn: CY4 
From: Washington Field 


CY4/NVRA 
Contact: 


Approved By: [cs esl BIT, 
NS [ps iI'I' I 


Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VITIM; 
COMPUTER INTRUSION - CRIMINAL 


Synopsis:  Documenting finding e| . ] 
Details: On 5/1/2012, writer found a twitter posting between 


contact him at to discuss his attacks 


on dc.gov webs 


A Google search using on email . sd an 
email Isted ant = |e POX information, revealed the following 
website that link the Comcast email account to the “Team 
Diversity” member 


Additional searches revealed the following information: 

The third return result in Google’s organic (non-paid) 
search returns was titled “Hack Forums ~ {Team Diversity} Selling 
GT: stfu” and located at www.hackforums.net > Hack Forums > 


Marketplace > Gametags. The excerpt in the search return 
included the following text, “05-20-2011, 3:39 PM. GT Control 


Proof: Spoiler (Click to View). (image: gl059.jpg]. Contact AIM: 
XBLTime. 
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b6 
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b6 
b7C 


e .- . UNCLASSIFIED. e 


To: Washington Field From: Washington Field 
A post made to codeupload.com (codeuploade.com/4851) on 23 
December 2011 at 5:15 pm UTC oe 
ati 


stated the followi 


i. 
2. b6 
3. b7c 
4. 
5. 


6. Team Diversity Gamertags 
7. Team Diversìty 


8. Team Diversity 
9. httop://www.youtube.com/watch?tvnbW 3 


The referenced YouTube post was no longer available at the time 
of the open source searches. 


An AOL LiveStream profile usi moniker b6 
contained the following, "ADD on May 12 at BIC 
5:05 pm and “Selling Diversity Booter 300+. shells onlu $10” on. 

Jan 20 at 5:54 PM. 


An Xbox Live Profile (live.xbox.com/en-US/Profile?gametag=my 


bolt action) lists in the BIO section the following information, 
“Team Diversity - and "AIMs: b6 
YouTube.com : b7C 


Writer intended. to subpoena registration information on 
these email accounts and. request search warrants as well. 


++ 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/01/2012 
To: Washington Field Attn: CY4 
From: Washington Field 
CYA/NVRA 
Contact: Sean 
Approved By: g oslo! Du 


Drafted By: “ alas 


Title:  UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VITIM; 
COMPUTER INTRUSION - CRIMINAL 


Synopsis: Documenting email communication with New York office. 


Details: On 4/27/2012, writer received a email from SSA 


regarding terminating the lead to Los Angeles to interview 
possible suspect[ ^ ] in order to avoid operational conflict 
with the FBI New York investigation. Writer will continue all 


other logical investigative steps to move case forward. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 04/23/2012 
To: Washington Field Attn: SA KER 
New York Attn: SSA 
Minneapolis Attn: SSA 
SA 
Phoenix Attn: SSA 


From: Washington Field 
ID-3, CY-4/NVRA/3E 


Contact: IA b6 
b7C 


eS (G7/ex12 
Drafted By: [|  — itab ATAB 4/24/20 12 


Case ID # um 
174C-MP-74385 (Pending) — / 
Title: UGNAZI — UGNAZI; TEAM-DIVERSITY; 
DC GOV - VICTIM; z 
COMPUTER INTRUSION - CRIMINAL 
UNS 
AKA b6 
b7C 


02/22/2012, | 
TELEPHONE BOMB THREATS 


Synopsis:  (U) To document open source searches revealing DDoS, 
hacking and doxing activity by members of the UGNazi Hacktivist 
Group. 


Enclosure(s): Print-outs of referenced web pages will be 
maintained to the captioned investigation's case file via 1A. 


Details: (U//PO8Q) By way of background, Washington Field Office 
(WFO) squad CY-4 opened the captioned investigation into the 
hacktivist group "UGNAZI" in April 2012 based on the group's 
claims of responsibility for online attacks targeting computer 
network infrastructure belonging to the District of Columbia 


12ja114b.ec UNCLASSIFIED//FOR OFPICIATL-USÉ ONLY 


AKA 
AKA — 
CHASKA POLICE DEPARTMENT, (VICTIM) 


JE 
To: Washington Field From: Washington Field 
Re: [1 04/23/2012 


Reference] fe details). Open source 
searches for | an e following identified group members 


revealed the following information. 


(U) A 19 Ey 2012 post to the "UGNaziNews" 
Twi hereafter 


|  ]Jstated, | 
mem y hyperlinked text ending in 


linked 


la ==. 2. S 5 -—S SS ””— —— 
p 
form Resource Locator (URL) 
that displayed a web page not dM 
error message for nyc.gov. The hyperlinked text ending in 


linked to an image at the URL 
that displayed a web page not available error for dc.gov. 


The 


hyperlinked URL linked to a news story about the Hacker Group 
UGNazi conducting Distributed Denial of Service (DDoS) attacks 
against dc.gov and nyc.gov as an act of protest against the US 
Government. 


(U) A 19 April 2012 post to the UGNaziNews Twitter feed b 


The 
inked to an image at the URL 
that displayed a web page not available 


error for washington.org. 


(U) A 19 April 2012 post, 
stated 


The hyperlinked pastebin URL linked to a 
pastebin post that contained Personal Identifying Information 
(PXI) for Washington DC Mayor Vincent Gray; including Date of 
Birth (DOB), Social Security Number (SSN), phone numbers and 
addresses. 


(U) A 19 April 2012 post to the UGNaziNews Twitter feed by 
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b7E 


b7E 


b6 
b7C 


b6 
b7C 


b6 
b7C 


b6 
b7C 


b7C 


b6 
b7C 


PE, cum um É 
To: ihi eld From: Washington Field 
Re: 04/23/2012 


URL Linked to an image a[ — that displayed a 
web page not available error for nasdaq.com. 


(U) A 20 April 2012 post 


nke ink: gi 
displayed a web page not available error for 


(U) A 20 April 2012 post to the UGNaziNews Twitter feed by 


The hyperlinked URL linked to an 
image at that displayed a web page not 


available error for wa.gov. 


zz A 23 zm 2012 post z zm mme ge by 
The hyperlinked pastebin URL 


linked to pastebin post that contained a message apparently 
ON ra pie AU c ue HR Protection Act - 
523 and ; ing pastebi der the 


(U) The hyperlinked Ea TA linked to a 
pastebin post made in apparent retaliation for law enforcement 
: pe Fe ee 


ian protest o£] O Z0 | 
ember] ) [claimed to have] — ^  — à à à à 3 à o ü | 
and listed alleged 
FBI.gov Server details, Intranet vulnerabilities, dnd. dOxed 7 
FBI agents allegedly involved in brining down LulzSec. The 7 


The d0x listed credit card numbers, 
CVC2s, fbi.gov email addresses and passwords. The email 


UNCLASSIFIED//FOR LY 
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b7E 


b6 
b7C 


b6 
b7C 


b6 
b7C 


b6 
b7C 


b6 
b7C 


UNC y stereD//FOR oresesan-usz Ara 
To: Washington Field From: Washington Field 


addresses did not conform to the format used by FBI email 
accounts used on either unclassified or classified networks. 


(U) FBI intranet directory searches on the names of 
aforementioned dOxed agents did not return BPMS di 


listings for FBI employees; with the exception o b6 

which returned information on a bic 
whose work telephone number indicated he works out 

Ó 

(U) The hyperìinked Linked to a i 


pastebin post that listed PII for 5 alleged "CIA Field Agents". 
The post claimed the PII was obtained by hacking cia.gov email 
accounts. 


U) A 23 April post to the UGNaziNews Twitter feed by the 
e Twitter profi b6 
, hereatter referr b7C 


wi 3 E t leaked ~| 
DS The hyperlinked pastebin URL 
linked to the aforementioned pastebin post tweeted by 


b6 
b7C 
Linked to an image at 
that displayed a web not available error 
Ox cia.gov. 

(U) A 23 April post to the UGNaziNews Twitter feed by the 
owner/operator of the UGNazi Twitter profile b6 
hereafter referred to as the b7C 

U) A 23 April 2012 post to the UGNazi i by the 
he Twitter account Bs 
ne e d e e - eG O a b7C 


Ba o O  Ì e he ypor inked| /— | 
URL linked toal- Ipo ha ontained a pace (when 
inted) list of PII for 
and his family, as WEIDAS what appeared to be content o 
email messages in which| | indicates that he "swatted" people. 
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ic cui ncs uc 
To: i ield From: Washington Field 
Re: 04/23/2012 


contained a URL to an image at 

which displayed what appeared to be the 
contact page for an online bank account or credit card account 
manager for an account belonging to] 
CE TL hased an the location of the URL In the 
dOx, right below s Visa credit card information, it 
is assessed with medium confidence that this screen shot image 
may be for an account manager page tied to that credit card. 


(U//EoWÓ) An ACS search revealed a connection between] rpn 
and a series of telephonic bomb threats being investigate 
Minneapolis Division er details). 


(U/ /PosX The following emails p in thel |] dOx were 


run as Search terms j ielded one positive 

result for the email The serial documented 

open source derived information which tied the email account to 

he name which is to the alias 
Alsted in ` azi dOx e isen 2140 


serial 9 for Fe ken The dôx also lists 
S AOL Instant Messenger ID edt oasa 
reference 


(U) The 
profile for 


uu - 


üTube 
that 


contained the following comments dealing with swatting: 
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mM, T RE Å 
To: W i i . From: Washington Field 
Re: 04/23/2012 pupa 


b6 
a b7c 
Analysis: 
(U//FO8Q) It is assessed with high confidence that the UGNazi 
hacktivist group did not compromise FBI or CIA employee email 
accounts as claimed in the aforementioned d0xing posts and NYO 
ADIC letter post made by UGNazi members to pastebin. This 
assessment - is based on the following indicators that eE the 
d DI å 
b6 
b7C 
b7E 
(U//Pou6) It is assessed with medium to high confidence that the 
b6 


dOx published by the UGNazi hacktivist group targeting 
———: is true information possibly obtained by UGNazi b7C 
members through the compromise of one or more of the email 


accounts listed in the dOx. This assessment is based upon the 
preponderance of corroborating information listed below. 


UNCLASSIFIED//FOR OFFIGIAL—USE ONLY 
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y” A 
To: Washington Field From: Washington Field 
Be: [+d 04/23/2012 


ased on the aforementioned details corroborating the 

dOx it is assessed with medium confidence that one or 
more members of the UGNazi hacktivist group are capable (both in 
motivation and skill level) of committing computer network 
intrusion and/or social engineering resulting in the compromise 
of online password protected accounts. 
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b6 
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' To: i i From: Washington Field 
Re: 04/23/2012 


Accomplishment Information: 
Number: 1 m i 
Type: SUBJECT IDENTIFIED 
mv: C] 
Claimed By: 

SSN: 

Name: 

Squad 
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b6 
b7C 
b7E 


ES 


cfc orto sg e 
To: F i n Field From: Washington Field 
Re: 04/23/2012 Bus 


LEAD (s) : 
Set Lead 1: (Info) 

NEW YORK 

AT NEW YORK, NY 

For New York Field Office Squad CY-2's situational 
awareness. Read and clear. 
Set Lead 2: (Info) 

MINNEAPOLIS 


AT MINNEAPOLIS, MN 


For Minneapolis Field Office Squad CT-3's situational 
awareness. See the information regaxding the possible true 
identity of[ Jand alleged evidence of swatting activity b6 


documented on pages 4 — 6 of the enclosed communication. The b7C 
ME ———C bre 
report are enclosed .in the accompanying JA. Read and clear. 

Set Lead 3: (Info) 


PHOENIX 
AT PHOENIX, AZ 
For Phoenix Field Office Squad C-2's situational 
awareness regarding d0xing victims and possible case subject 
residing in Phoenix's AOR. Read and clear. 


++ 
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| UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE ! Date: 05/11/2012 

To: Cyber Attn: SSA b6 
SSA b7C 

To: Charlotte Attn: SSA 

To: Dallas Attn: SSA 

To: Houston Attn: SSA 


To: bos Angeles Attn: Cyb - 
To: Little Rock Attn:  SSA 
To: New York Attn: SSA 
From: Washington Field 
CY-4/NVRA - - 
Contact: b6 
b7C 
ves øslufy 
kcb 


Approved By: 


Drafted By: 


b7E 
Case ID i; 


Titie:  UGNAZI; 
TEAM DIVERSITY; 
DC.GOV - VICTIM; 
COMPUTER INTRUSION - CRIMINAL 


Synopsis: To document notification and liaison contact made with 


Special Agent (SNL nm b6 
Office of Inspector General (OIG)on 05/11/2012. b7C 


' . : . . . b6 
Attachment: E-mail communication from Supervisory Special Agent (SSA) ,.,. 
regarding a distributed denial of service attack (DDoS) of, 


th eb site dated 05/11/2012. 

Details: On 05/11/2012,ssA|__ J]contacted SSA via UNET e- 
mail advising of a DDoS attack of the web b6 
page apparently conducted by members 6 azı", amciuding i 


individuals utilizing the monikers[ ^ — ^ _ ]xespectiveiy. 


On this same date, via e-mail and telephone conversations, 
ssa[ —  jasvisea| “ ^" ^ |Haison contacts of this Be | 


UNCLASSIFIED 131kbecl.wpd 


e UNCLASSIFIED © 
To: b : Washington Field 
Re: 05/11/2012 


possible DDoS. sa| hater confirmed their web site had in fact 
been DDoSed but was now currently up and running. SA is 
prosecutive opinion. SA advised he ma 


once 
e has a better understanding of the incident. 


sal  ]aàvisea th 
pur v 
m eae advise rough open 
source research he identifie itter feeds of individuals claiming 
responsibility for the DDoS o 11 continue 
coordination efforts with COMPRE — this matter. 


On 05/11/2012, ssAL____] forwarded a copy of the attached 
e-mail thread related to this incident to all identified field offices 
with potential equities in this matter for their situational 
awareness. 
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b6 


b7C 


UNCLASSIFIED 


To: ber From: Washington Field 
Re: 05/11/2012 


Set Lead 1: (Info) 
CYBER 
AT WASHINGTON, DC 
For information. 


Set Lead 2: (Info) 


CHARLOTTE 


AT CHARLOTTE, NC 


For information. 


Set Lead 3: (Info) 


DALLAS 


AT DALLAS, TX 


For information. 


Set Lead 4: (Info) 


HOUSTON 
AT HOUSTON 


For information. 
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b7E 


w 4'r" M MEL ^ 


UNCLASSIFIED 
To:- : shington Field 

Re: 05/11/2012 

Set Lead 5: (Info) 


LOS ANGELES 


AT LOS ANGELE CA 


For information. 


Set Lead 6: (Info) 
LITTLE ROCK 


AT LITTLE ROCK, AR 


For information. 


Set Lead 7: (Info) 


NEW YORK 


AT NEW YORK, NY 


For information. 


++ 
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b7E 


Subject: 


See the below re a confirmed DDoS of t website purportedly conducted by 


eI Toi 
members of UGNazi to includd [My]  |OIG POC advised they had 


infrastructure in three place uarng al a He is checking to determine the other 
locations and which were effected and will get back to me. 


E_ 
SSA 
FBI/WFO/NVRA/CY-4 

D) 
C) 


703.686.6010 (F) 


Subject: RE: 


| 'SSA 
FBI/WFO/NVRA/CY-4 
| (D) 

| (C) 


703.686.6010 (F) 


20 


b7C 
b7E 


b6 
b7C 
b7E 


b6 


b7E 
b5 


b6 
b7C 


b6 
b7C 
b7E 


b7C 


4 é y 


| 5 I am a Cyber Squad Supervisor in the WF Office and th is i PIE 
| appreciate any information you have on the subjects involved in th 


s currently down due to DDoS attack b 
I believe I have PII for 


provide contact info for the agent looking into 


o include name and home address. Can you b7C 
? My notes from today's meeting are 


b6 
| b7C 
b6 | 
| b7C 
| b7E 
| Subject: Re: 
| Please see below in regards to a DDoS attack attributed tol e] m 
b6 | 
b7C 
b7E 
Sent: Thu May 10 23:12:11 2012 
Subject: b6 
and members of UGNazi to include b6 
at the office and I will be out until May 21. b7E 
Twitter accounts for individuals captioned above are: 
b6 
b7C 


I'll Keep you updated as info comes in. 


b6 
b7C 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/07/2012 


To: Washington Field Attn:  CY-4 


From: Washington Field 
CY4/NVRA 
Contact: b6 


" Lol b7C 
1j a E " Zol- 


Pending) 


Approved By: 


Drafted By: 
b7E 
Case ID #: 


Title:  UGNAZI - UGNAZI; 
TEAM-DIVERSITY; 
DC GOV - VICTIM; 
COMPUTER INTRUSION - CRIMINAL 


Synopsis: Requesting a STATS sub file to be opened. 
Details: Writer requesting a STATS sub file to be opened under 


captioned case in order to record all the statistical 
accomplishments. 


++ 


osa (Main 
Closed: 


Class & 


UNCLASSIFIED 
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U.S. Department of Justice 


Federal Bureau of Investigation 


Jn Reply, Please Refer to Northern Virginia Resident Agency 
Manassas, VA 20109 


May 2, 2012 


Long Beach Police Department 
Computer Crimes Detail 


RE: Distributed Denial of Service (DDOS) attack on DC.gov website 
from 4/18/2012 to 4/19/2012. 


b7c 


On 4/20/2012, the FBI Washington Field Office received 

information that the DC's website, DC.gov, was ——— 

FBI Special Agent (sa) [talked to b6 

Chief Téchnology Officer, Office of the Chief Technology Officer b7C 

(OCTO), Government of the District of Columbia, 441 4th St. NW, 

Washington, DC 20001, telephone Em via 

telephone the same day. mms gov website was 

under Distributed Denial of Service (DDOS) attack since 4/18/2012 

6:45pm, 25 hours into the attack, OCTO was able to restore the 

website and contained the DDOS attack. OCTO did not detect any 

intrusions into DC government's computer network. sent 

SA[ ^  ]an email in which contained postings on twitter.com, 
iversitv.net. Wit 


Pastebin.com, and a link to team- 
twitter postings, user account 


government, New Ina twitter 
posting between 
report 
bim at to discuss the DDOS attacks on 
dc.gov website. Further search in twitter postings revealed a 
link to Pastebin.com posting which posted DC city mayor Vincent C 
Gray's personal identification information (PII). 


On 4/20/2012, writer talked to DC Metropolitan Police 
Department Task Force Office telephone b6 
number: via telephone. stated the MPD was b7C 
aware of tbe leak of DC Mayor's PIT. leaked PII was not 
accurate and some information wexe outdated. 


en T 
[ — — —kevealed two hacker group UGNazi, with website at b7C 


UGNazi.com, and Team Diversity at team-diversity.net.  UGNazi.com 


—— * 


1 


Following items are attached to this Letter: a CD 
contained screen shots of twitter postings and online articles 
regarding DDOS attack on DC.gov, a CD contained PCAP file, and a 
CD contained firewall log on DDOS attack. 


The above information is provided to you for action as 
deemed appropriate. u i regarding this matter can be 
directed to SA Squad CY-4 (located at tbe - 
Northern Virginia Resident Agency), | | 

Sincerely, 
Ronald T Hosko 


Special Agent in Charge 


By: 


Supervisory Special Agent 


b6 
b7c 


b6 
b7C 


b7c 


E Vere w - 32: ' 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/15/2012 
To: Washington Field Attn: CY4 


From: Washington Field 
CY4/NVRA 


Approved By: es], feno d^ 
Drafted By: 1j U “Jar Jh 
Case ID d; Pending) 


Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VITIM; 
COMPUTER INTRUSION - CRIMINAL 


Synopsis: Documenting finding on| | 


Details: On 5/2/2012, FBI Task Force Officer (TFO), Long Beach 
Police Department Sgt.[ ^ ^ ^  .  ]contacted writer via email 
and provided following information: 


was arrested for numberous 
computer related crimes by the Long Beach Police Department 
(LBPD) and is due in court later in May 2012. He has been 
positively identified and search warrants have been served. Some 


of his computers are in LBPD custody. The handling LBPD 
Detective | telephone number: 
has done lots of wor on |. Jand his friends. 
S personal information are following: 


i 


DOB: 
Cell phone: 
Address: 


Subjects Mother: 


Address: 
Employer: 
Work P 
Cell: 


UNCLASSIFIED 
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b6 
b"7C 


b7E 


b6 
b7C 


b6 
b7C 


b6 
b7c 


b6 
b7c 


To: Washington Field From: 
Re: | | 


UNCLASSIFIED .... 


05/15/2012 


On 5/3/2012, TFO 


list of the sub 


Washington Field 


EE writer via email and 


jects who were identified by Detective 


The following list was compiled £rom the SWATTING 
and ID theft case Detective 


Twitter: 
Facebook 
YouTube: 


is investigating: 


Notes: I Dave several PayPal transactions regarding the purchase 


of VEN accounts. 


UNCLASSIFIED 
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vember 


(videos show DDoS of 


b7E 


b6 
b7c 


b6 
b7C 


b6 
b7C 
b7E 


b7C 


To: Washington Field From: Washington Field 


Address: 


UNCLASSIFIED 


UNCLASSIFIED 


3 


b6 
b"7C 
b7E 


b6 
b7C 


b6 
b7C 


b6 
b7C 


b6 
b7C 


o UNCLASSIFIED e 
To: i i From: Washington Field 
Re: 05/15/2012 DE 


b6 
b"7C 


b6 
b"7C 


UNCLASSIFIED 
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UNCLASSIFIED 
To: i ield From: Washington Field 
Re: , 05/15/2012 b7E 
On 5/4/2012, writer received a email from SA qum 


Los Angeles Division. A copy of LBPD report on was 
attached to the email. The LBPD report was prepared by Detective 


| = it detailed the Er conducted for 


++ 


UNCLASSIFIED 
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ee 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/15/2012 
To: Baltimore Attn: Cyber Squad 


From: Washington Field 
CY4/NVRA 


b7c 


g os/ragn - 


? U Gen Us 


(Pending) 


Approved By: 


Drafted By: 


i? 


Case ID d 


Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VICTIM; 
COMPUTER INTRUSION - CRIMINAL 


Synopsis: Request concurrence from Baltimore Field Office to 
conduct interview in Annapolis, MD. 


Details: On 4/20/2012, Washington Filed Office (WFO) CY-4 

‘received information that the DC's website, DC.gov, was under 

Distributed Denial of Service (DDoS) attack. During the course 

of the investigation, writer determined the members of hacker 

roup UGNazi and Team Diversity were behind attack. Group member ; 

: address: b6 
were positively identified b7C 

by Long Beach Police Department (LBPD) during their 

investigation.  LBPD provided WFO with information on 

well as several 


The following individual 
resides in 


AKA: b6 
Name Bui. 
DOB: | 
M/W | 
Address: | 


Home: 
AIM: 
‘Notes: 


UNCLASSIFIED 


. o | - - UNCLASSIFIED -- o 


To: Baltimore From: Washington Field 


Writer intends to interview| | to determine his 
involvement in the DDoS attack against DC.gov and any other 
illegal online activities. 


UNCLASSIFIED 
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b7E 


b6 
b7C 


$ 


rm e 


UNCLASSIFIED o 


To: Baltimore From: Washington Field 


Set Lead 1: (Info) 


BALTIMORE 


/2012 


AT CYBER SQUAD 


Reques 
Annapolis, MD to interview 
++ 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/18/2012 


To: Washington Field Attn: SA 
CY-04 


From: New York 
CY-02 
Drafted gy: [3 


Case ID # 


Title: OPERATION CARDSHOP 


UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VITIM; . a 
COMPUTER INTRUSION - CRIMINAL 


Synopsis: To request Washington Field to delay contact with 
individuals associated with UG Nazi. 


Administrative: The following was emailed on May 17, 2012 as a 
follow up to a phone conversation. 


Subject: RE: interviews 


Good afternoon[ |] 


I appreciate the heads up regarding the information below. 
As per our phone conversation, please wait until the coordinated 
takedown, scheduled for June 26, 2012, to contact these guys. 


We are unfamiliar with dat the moment, M a 
registered member of our UC forum. Many of the UG guys have 


à 


UNCLASSIFIED 


b6 
b7C 


UNCLASSIFIED 


To: % i ield From: New York 
Re: 05/18/2012 


direct connection with our UC forum and it will not be advisable 
to approach them prior to June 26. 


Lastly, — lis out of the office and will be back on Monday. 
He'll work on getting those logs to you next week. 


Thanks! 


Subject: interviews 


Hey guys, I got a list of names from. beach pd det 

Those are the ppl Det identified in his 
investigation into[ . — ] and they associated with [___ ]online. 
1 notice there are couple of guys live close by to dc, would like 
to interview them regarding their role in DC.gov attack and any 
other illegal activities.  Jüst want to be a team play and make 
sure not stepping over each other. Oh by the way, did you 
get chance to sent out those logs from NY.gov and NASDAQ.com 
attacks? thanks 


AKA: 
Name 
DOB: 
M/W 

Address: 
Home: 


M/W. 
Address: 


UNCLASSIFIED 
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b7E 


b6 
b7C 


b6 
b7C 


b6 
b7C 


UNCLASSIFIED 


To: Washindto ield From: New York 

Re: 05/18/2012 b7E 
b6 
b7C 


Details: New York respectfully requests Washington Field to 
delay contact with the individuals associated with UGNazi, to 


include the members mentioned above. 
b7E 


UNCLASSIFIED 
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o UNCLASSIFIED 


To: Washington Field From: New York 
samail i. bre 


LEAD (s): 
Set Lead 1: (Info) 
WASHINGTON FIELD 
AT WASHINGTON, DC 
New York respectfully requests Washington Field to 
delay contact with the individuals associated with UGNazi, to 


include the members mentioned above. 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/22/2012 
To: Washington Field Attn:  CY-4 
From: Washington Field 

CY4/NVRA 

Gmtact: L ~ ~ | 


Approved By: 


Drafted By: i 
Y [ MS 
Case ID d: ending) 
ending) 
Title: UGNAZI - UGNAZI; -DIVERSITY; 


DC GOV - VICTIM; | 
COMPUTER INTRUSION - CRIMINAL 


Synopsis: Reporting investigation conducted. 


peus From 5/2/2012 to 5/18/2012, through twitter postings by 
at and third party reporting, writer leaxned 
hacker group UGNazi was involved in attacks on IC3.gov, ed.gov, 
Washington Military Department website, ca.gov, Government of 
Anguilla (gov.ia), visa.com, cia.gov, wtf.com, Discover.com. 


Pertaining tó attack on wtf.com, information indicated 
UGNazi hacked its registration information. Writer did a 
Domaintools lookup on wtf.com and find following as the 
registration information: 


Registrant: 

UGNazi, Inc. 

ATTN WTF.COM 

care of Network Solutions 

PO Box 459 

Drums, PA. US 18222 

Administrative Contact, Technical Contact: 


Created: 1995-08-12 
Expires: 2019-08-11 
Updated: 2012-05-17 


UNCLASSIFIED 


L len Lec 


b6 
b7C 


b7E 


b6 
b7c 


b6 
b7c 


o UNCLASSIFIED o 


To: ì i From: Washington Field 
Re: 5/22/2012 


Writer contacted Investigator at 


Network Solu 


x number: 703-668-5959, 
via telephone on 5/22/2012. confirmed tbat wtf.com is 
registered through Network Solutions; the real registrant 
information and domain management account login information are 
available upon request through a subpoena. 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/24/2012 
To: Washington Field Attn: CY-4 
From: Washington Fieìd 
CY4/NVRA 
13 LU bua. 


Pending) 
Pending) 


Approved By: 
Drafted By: 
Case ID #: 
Title: UGNAZI - UGNAZI; 


DC GOV - VICTIM; 
COMPUTER INTRUSION - CRIMINAL 


-DIVERSITY; 


Synopsis: Reporting AUSA's response. 


Details: On 5/17/2012, writer submitted a subpoena request for 

registrant information on wft.com to Assistant US Attorney 

P| for approval! On 5/24/3012, ri 
j : i j ecutor in Wa 


ashin 


wtf.com intrusion to Detective telephone: 
, email: Long Beach 


Police Department for his case. 
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FD-302 (Rev, 10-695) 


ados 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/08/2012 


From Je eke to 5/18/2012, through twitter postings by 
[dat and third party reporting, writer learned hacker 
group UGNazi was involved in attacks on IC3.gov, ed.gov, Washington 


Military Department website, ca.gov, Government of Anguilla 
(gov.ia), visa.com, cia.gov, wtf.com, Discover.com. 


Pertaining to attack on wtf.com, writer conducted another 
domain lookup on wtf.com on 5/24/2012 and find following as the 
registration information: i 


Registrant: 

Wtf, Inc. 

4550 Ocala Drive 
Parma, OH 44134 
US 


On 4/24/2012, 
I— ]teilephone number: 
was interviewed via telephone. After being advised of the 
of the interviewing agent and the nature of the interview, 
provided the following information: 


noticed his website wtf.com was redirected to 
ugnazi.com on 5/16/2012 and at same time he could not access his 
domain management account at Network Solution and his emails with 
Cox.net and Google. [has phone and internet services 
through Cox.net, when he contacted Cox, he found out his account 
was compromised, and call forwarding was setup so all his call were 
wW q to | Jat 

tried to ca imself, but instead of going to his voice 
mail like it used to, ice someone picked up the call and 
did not say anything. also recalled a backup i 
his Cox account was changed to an email beginning with 
ending in ".com". po ie his domain management account at 
Network Solution was compromised and wtf.com regi ant information 
was changed on 5/17/2012 around 12:30 am. PL ees with 

LNU at Network Solution, 570-708-8700, ext Network 


Investigation on — 6/5/2012 a Washington DC (via facsimile) 


Date dictated 


by SA 


This document contains neither recommendations nor conclusions of the FBI. K is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. L / I 2. 
2 (6 302 


b6 
b7c 


b6 
b7c 


b7c 


FD-302a (Rev. 10-6-95) 


Cootioaton of ED-302 of "I pL———— „On 6/5/2012 mes 2 


created, as far as 

and the other was 

he has no relationship wi 
why he was targeted. 
reinstated. 


[meus 


could recall, one was 

at UGNazi.com Inc. 
any members of UGNazi and doesn't know 
All of his accounts have since been 


is willing to provide the login logs for his 
Gmail and Network Solutions accounts. 


b6 
b7c 


ne d > 
(Rev. 05-01-2008) o o 


UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence; ROUTINE Date: 06/12/2012 
To: Washington Field Attn: CY-4 


From: Washington Field 


CY4/NVRA 
contact: |] 


Approved By: (12 MV KCB 
vend MEN NT DN 
Case ID #: (Pending) 
Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VICTIM; 


COMPUTER INTRUSION - CRIMINAL 


Synopsis: Reporting investigation conducted. 
Details: On 6/7/2012, writer received an email with spreadsheet 
attachment named "Login History.xls" gren. 


Investigator at Network Solutions (NS), 
PEER The spreadsheet contained login 


information for domain management account for wtf.com. NS 
released this information to the FBI upon receiving a written 
consent from the owner of the wtf.com, [ — The 
following is the login history: 


Login History for Account L_ ] 


Date Success = _ Relationship 
5/17/2012 17:12 FALSE Primary 
5/17/2012 17:10 — FALSE Primary 
5/17/2012 17:09 FALSE Primary 
5/17/2012 15:33 — FALSE Primary 
$/17/2012 15:313 FALSE Primary 
5/17/2012 15:30 FALSE Primary 
5/17/2012 15:30 FALSE Primary 
5/17/2012 15:29 FALSE Primary 
5/17/2012 2:00 TRUE Primary 
5/17/2012 2:00 — FALSE Primary 
5/17/2012 1:48 TRUE Primary 

UNCLASSIFIED 


U |7012.ec 


b6 
b7C 


b7E 


b6 
b7c 


b6 
b7c 


To: i ield From: Washington Field 
Re: .06/12/2012 


5/17/2012 0:17 
5/17/2012 0:07 
5/17/2012 0:07 
5/17/2012 0:06 
5/17/2012 0:04 

5/16/2012 23:59 

5/16/2012 21:53 

5/16/2012 21:14 

5/16/2012 21:13 

5/16/2012 21:04 

5/16/2012 20:55 

5/16/2012 20:45 

5/16/2012 20:44 

5/16/2012 20:40 

5/16/2012 19:37 

5/16/2012 19:09 

5/16/2012 15:32 

5/16/2012 12:32 

5/16/2012 12:32 
5/16/2012 1:51 
5/16/2012 0:23 
5/16/2012 0:19 
5/16/2012 0:19 

2/10/2012 17:24 

2/10/2012 17:19 

2/10/2012 17:19 


IP address 


Domain. name: 
Registrar: 
Whois Server: 


Registrant Contac 


TRUE Primary 
TRUB Primary 
FALSE Primary 
TRUE Primary 
TRUE Primary 
TRUE - Primary 
TRUE Primary 
TRUE Primary 
FALSE Primary 
TRUE Primary 
TRUE Primary 
TRUE Tech 
TRUE Primary 
TRUE , Primary 
TRUE Primary 
TRUE Primary 
TRUE Tech 
TRUE Tech 
FALSE Tech 
TRUE Tech 
TRUE Tech 
TRUE Tech 
TRUE - Tech 
TRUE Primary 
FALSE Primary 
FALSE Primary 


resolved to 


UNCLASSIFIED 
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o .. UNCLASSIFIED o 


is his home IP address. 


b7E 


b6 
b7C 


b6 
b7c 


b7C 


: e 
UNCLASSIFIED o 
To: Washington Field From: Washington Field 
Rei [> 04/22/2002 


postings included a link to Pastebin.com posting which revealed 
DC city mayor Vincent C Gray's personal identification 
information (PII). 


On 4/20/2012, writer ta olitan Police 
Department Task Force Office telephone 
number: [via telephone. stated the MPD was 


aware of the leak of DC Mayor's PII. Tbe leaked PII was not 
accurate and some were outdated. 


Open source search on |e and "UGNazi 
@UGNazi"revealed two hacker group azi, with website at 
UGNazi.com, and Team Diversity at team-diversi t. GNazi 


memb were 
Tea iversity members were 


ACS search on | |reveaied e is the subject of 
New York field office's case, case number UGNAZI. 


In serial 40,[ ^ ^ [identified as following: 


True Name: 
Alias: 
Monikers 


Address: (current) 


Twitter: 
Website: 


Based on the information above, WFO request that a Full 
Investigation be opened and assigned to a[ Mele i 
UNCLASSIFIED 
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